Rio Marine Inc. Hit by $56M Ransomware Attack from Cactus Group

Incident Date:

September 6, 2024

World map

Overview

Title

Rio Marine Inc. Hit by $56M Ransomware Attack from Cactus Group

Victim

Rio Marine Inc.

Attacker

Cactus

Location

Channelview, USA

Texas, USA

First Reported

September 6, 2024

Ransomware Attack on Rio Marine Inc. by Cactus Ransomware Group

Rio Marine Inc., a prominent player in the marine industry, has recently fallen victim to a ransomware attack orchestrated by the notorious Cactus Ransomware Group. The attack, discovered on September 7, has resulted in the exfiltration of 490GB of sensitive data, including personal identifiable information, engineering data, customer information, financial documents, and more. The attackers have demanded a ransom of $56 million USD.

About Rio Marine Inc.

Established in 1929 by Leo Glynn, Rio Marine Inc. has evolved from its origins as Glynn Electric into a comprehensive service provider in the marine sector. The company operates through four primary divisions: Rio Marine, Rio Controls & Hydraulics, Rio Electronics, and Rio Power Management. With a workforce of over 150 skilled technicians available 24/7, Rio Marine specializes in electrical maintenance, barge maintenance, hydraulic systems, and electronic solutions. Their extensive service offerings range from basic repairs to full vessel refits and installations, making them a versatile and reliable partner in marine operations.

Attack Overview

The ransomware attack on Rio Marine Inc. has led to the compromise of a significant amount of sensitive data. The stolen information includes personal data of employees and executives, engineering drawings, project details, customer information, financial documents, contracts, corporate correspondence, and database backups. Less than 1% of the stolen data has been disclosed publicly, with download links provided on the dark web. The attackers have demanded a ransom of $56 million USD to prevent further data leakage.

About Cactus Ransomware Group

The Cactus Ransomware Group, identified in March 2023, has quickly become a notable player in the ransomware landscape. The group employs sophisticated tactics, including double extortion, where they not only encrypt data but also threaten to leak sensitive information if the ransom is not paid. Cactus primarily gains access to networks by exploiting known vulnerabilities in VPN devices and leveraging phishing attacks. The ransomware employs a unique approach by encrypting its own binary to evade detection by antivirus software, making it particularly challenging for security teams to detect and respond to.

Penetration and Vulnerabilities

Rio Marine Inc.'s extensive use of advanced systems for marine propulsion controls, alarm systems, and power management solutions may have made them an attractive target for the Cactus Ransomware Group. The group's ability to exploit vulnerabilities in VPN devices and use phishing attacks to gain initial access likely facilitated the breach. Once inside the network, Cactus established command and control communications via SSH and utilized Scheduled Tasks to maintain persistence, allowing them to exfiltrate a substantial amount of sensitive data.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.